Securing Your Android Device

Terry Labach

Information Security Services, IST

"To see everything without being seen is, needless to say, the prerogative of the biblical God whose eyes run everywhere, as well as the labor of spies and surveillance agencies, and the fondest desire of the voyeur.“

- Margaret Atwood

#watitis2013

Android

• mobile device operating system• market share 43% in Canada, 52% in the

US, 80% worldwide• 2013 DHS/FBI report stated Android

attracted 79 per cent of all malware attacks because of “market share and open source architecture”

#watitis2013

Android risks

• open architecture offers more opportunities for attack

• many vendor and developer-tweaked versions, harder to patch

• “rooted” phones can use wider range of features but lose protection

• no magic bullet to mitigate risks

#watitis2013

What's on your phone?

• social media apps• financial/banking apps• photos• address book• usernames, passwords• …

#watitis2013

What are bad guys looking for?

• $$$• steal phone for resale• banking information• texts to premium SMS• in-app purchases• …

#watitis2013

Steps to securing your device• Physical security• Access security• File security• App security• Network security• System security• Usage security• Software

#watitis2013

Physical security

• Hang on to phone• Don't leave it unattended

#watitis2013

Access security

• Screen lock phone with– swipe code– PIN– password

#watitis2013

#watitis2013

File security

• Back up files• Encrypt files

#watitis2013

Encrypt files

• individually – simplest method but onerous• APG - OpenPGP implementation for

Android• https://play.google.com/store/apps/details?

id=org.thialfihar.android.apg

#watitis2013

Encrypt SD card

• Depending on device, select one of– Settings > Security– Settings > Storage

• Select SD card encryption checkbox• Encrypt before adding data!• Once set, any non-encrypted SD card

placed in phone will be read only.

#watitis2013

#watitis2013

#watitis2013

Pre encryption

Post encryption

#watitis2013

Encrypt phone storage

• protects internal phone memory• slows phone operations• fully charge phone first, keep plugged in

during encryption

#watitis2013

Encrypt phone storage

• Depending on device, select one of– Settings > Security– Settings > Storage

• select Storage encryption checkbox• storage will be encrypted• can’t undo encryption, factory reset only

way to unencrypt, causing data loss

#watitis2013

Network security

• Turn off WiFi/Bluetooth/NFC when not needed

• WiFi– avoid joining unknown networks and using

public hotspots

• Don't use unencrypted communications– VPN (AnyConnect)– Web (https)

#watitis2013

Near field communication (NFC)

• NFC tags are chips that will share digital information

• on some Android devices, NFC is allowed to automatically launch the web browser

• could download malware• villain creates malicious NFC tags and

places them near legitimate ones

#watitis2013

Controlling network access

• JuiceDefender• https://play.google.com/store/apps/details?

id=com.latedroid.juicedefender&hl=en• location-aware WiFi Control (e.g. enable

WiFi only at home/work, disable it otherwise)

#watitis2013

Usage security

• phishing• vishing• smishing

#watitis2013

QR codes

• encode URLS as bar code• used to disguise malware

#watitis2013

#watitis2013

App security

• some apps, even from the Google Play store, have malicious features– keyloggers– contact snooping– data theft– malware downloads more malware– root attacks

#watitis2013

Limit the apps you install

• limit the number• don't automatically install apps if website/

message/popup tells you to do so• don’t install if permissions are suspicious• limit app permissions• buy your apps instead of installing free

cracked versions

#watitis2013

#watitis2013

App security

• disable untrusted app stores• open one of

– Settings>Applications– Settings>Security

• locate the Unknown sources• ensure it is unchecked

#watitis2013

#watitis2013

Maintain your apps

• Prevent accidental app purchases• Update your apps• Remove old apps

#watitis2013

#watitis2013

System security

• patch and update Android• vendor updates• reliable third-party distributions

– Cyanogenmod• http://www.cyanogenmod.org/

– Replicant• http://replicant.us

#watitis2013

System security

• disable Google sync of WiFi passwords, settings, etc.

#watitis2013

#watitis2013

Security software

• Software suites• Avast! Mobile Security

– antivirus, firewall, phone tracker, privacy, etc.

• Lookout Security & Antivirus– antivirus, phone tracker, privacy, etc.

• 360 Mobile Security– antivirus, privacy, etc.

#watitis2013

Security software

• Kaspersky Internet Security for Android– antivirus, phone tracker, privacy, etc.

• Norton Security antivirus– antivirus, phone tracker, privacy, etc.

#watitis2013

Privacy software

• Wickr - Top Secret Messenger– self-destructing, encrypted messages

• Clueful for Android– shows you how installed apps use your

personal information

#watitis2013

My phone’s been stolen!

• report to campus police• change passwords on accounts used by

the device immediately• attempt to locate using a software suite

mentioned above, or• Where's My Droid• Android Device Manager

#watitis2013

Where's My Droid

• special text message to phone will cause it to respond

• in some cases, can install from Play Store after phone is lost or stolen

• risk of misuse if someone knows you use this app

#watitis2013

Android Device Manager

• https://www.google.com/android/devicemanager

• Remotely locate and factory reset your device

#watitis2013

#watitis2013

References - Canada

• Public Safety Canada– Using mobile devices

• http://www.getcybersafe.gc.ca/cnt/rsks/nln-ctvts/mbl-eng.aspx

– Using web-enabled devices safely• http://www.getcybersafe.gc.ca/cnt/prtct-dvcs/mbl-

dvcs/index-eng.aspx

#watitis2013

References - US

• United States Computer Emergency Readiness Team– http://www.us-cert.gov– Technical Information Paper: Cyber Threats to

Mobile Devices– http://www.us-cert.gov/reading_room/TIP10-1

05-01.pdf

#watitis2013

References - US

• CERT (Computer Emergency Response Team)– http://www.cert.org– Mobile Device Security: Threats, Risks, and

Actions to Take– http://www.cert.org/podcast/show/

20100831frederick.html

#watitis2013

References - technical

• XDA Developers– http://www.xda-developers.com/

• XDA Android Developers forum– http://forum.xda-developers.com/android

• 20 security and privacy apps for Androids and iPhones– http://www.csoonline.com/slideshow/detail/

66493

#watitis2013

References - UW

• University of Waterloo Information Security Services (ISS) team– https://uwaterloo.ca/information-systems-

technology/about/organizational-structure/information-security-services

• University of Waterloo Security Operations Centre (SOC)– soc@uwaterloo.ca

#watitis2013

References - UW

• Terry Labach– tlabach@uwaterloo.ca

• User education• Developer and project consulting• Web application scanning

#watitis2013

Questions?

#watitis2013

#watitis2013

#watitis2013

#watitis2013